Physical security critical in protecting agency data
- By Douglas Miorandi
- Nov 19, 2018
Edward Snowden’s name entered the cultural lexicon in 2013 after he leaked thousands of classified National Security Agency documents to journalists. He’s been called a traitor, a patriot, a revolutionary, a dissident and a whistleblower. However, there’s one way to categorize him that no one can dispute: He’s a thief.
There’s no doubt about it: Snowden took information that didn’t belong to him, and the scary truth is that he is neither the first nor the last government employee to attempt to smuggle secrets out of a building. We must learn from his success to prevent it from happening again.
Since the dawn of the digital age, we’ve fought cyber pirates with tools like firewalls, encryption, strong passwords, antivirus software and white-hat hackers. But with so much attention on protecting against data leaks, we sometimes forget about the other side of the coin: the risk that data can be physically removed from the building.
There are four main risks to physical data security -- some of which might not be obvious, but all of which are imperative to consider when creating a comprehensive approach to protecting critical assets.
Risk 1: The insider threat. Every government agency has at least one disgruntled employee, and that means every organization is at risk of having data walk out of the building with that employee. People steal data from their workplaces because they see it as some means to an end, whether it’s to expose damaging information as part of a personal vendetta or to sell or leak it to the media, exposing confidential or classified information.
Risk 2: The outsider threat. Outside threats can come in the form of a spy -- someone hired to pose as a legitimate employee or private contractor in order to extract information; or the opportunistic thief -- a contractor working in sensitive areas who sees a chance and takes it.
Risk 3: The seemingly innocent personal item. There are two types of personal items that can be used to steal data: the commercially available off-the-shelf variety and those that have been intentionally disguised. COTS devices include SD cards, external hard drives, audio recorders and even cell/smart phones, any of which can be used to transport audio, video and computer data in and out of a government building or data center. An intentionally disguised device could be a recorder that looks like a car-key fob or a coffee mug with a USB drive hidden in a false bottom.
The difference between COTS and disguised devices is that if someone is caught with a COTS device, security will recognize and confiscate it. The disguised device might not be recognizable, and anyone could carry it into the workplace, making it especially devious.
Risk 4: Poor or nonexistent screening. Even government facilities with strict cyber security protocols can fall short when it comes to physically screening people for data transfer and recording media as they enter and exit facilities. This is a huge mistake, and the consequences can be dire.
Years ago, it was much harder for the average person to figure out where to sell stolen data. Now with the Dark Web, anyone using the Tor browser can access forums requesting specific information, greatly increasing the likelihood data thieves can sell their stolen information.
The good news is that all of these threats are avoidable with the right measures.
Combating the physical risks to data security
Not long ago, the building/physical security department and the IT/cybersecurity department were two completely separate entities of an organization, with little interaction. Now government agencies are realizing that they must take a holistic approach to security. Physical security and cybersecurity must be considered simultaneously for an airtight policy that protects sensitive, confidential assets from attack.
One of the most effective means of physical detection is a ferromagnetic detection system. It’s non-invasive and can detect anything with a magnetic signature -- including hard drives, cell phones, SD cards and recording devices as well as other ferrous metal objects, like weapons. This kind of screening should be part of the “trust, but verify” model, in which agencies assume the best of their employees and anyone else entering the building, but still take necessary precautions.
Douglas Miorandi is director of federal programs, counterterrorism and physical data security for Metrasens.